CN-121283626-B - SM2 collaborative signature and encryption and decryption system and method integrating quantum resistance characteristics

Abstract

The invention discloses an SM2 collaborative signature and encryption and decryption system and method integrating anti-quantum characteristics, which relate to the field of cryptography and information security, and the invention deeply integrates an anti-quantum cryptographic algorithm with a national secret SM2 collaborative computing framework to construct a key security system, wherein an SM2 sub private key, an anti-quantum key pair and a public key are generated through anti-quantum algorithm software and hardware enhancement module acquisition, the private key is encrypted and stored and periodically rotated, the anti-quantum collaborative signature, the encryption and decryption module is embedded, an anti-quantum verification mechanism is combined with the national secret TLCP protocol to transmit data to complete signature and encryption and decryption operations, a device integration and dynamic security control unit monitors security states, calculates threat indexes to generate a protection strategy, dynamically switches security modes, and effectively solves the problems of insufficient security, easy attack and data tampering faced by the traditional SM2 algorithm under quantum computing threat, and remarkably improves long-term anti-attack capability and operation reliability of the device under a high-security requirement scene.

Inventors

• CHEN JING
• WANG ZHONGYI

Assignees

• 浙江汇信科技有限公司

Dates

Publication Date

20260508

Application Date

20251106

Claims (7)

1. 1. An SM2 collaborative signature and encryption and decryption system integrating anti-quantum characteristics is characterized by comprising: On the premise of not changing the hardware of a standard server cipher machine only supporting a national cipher algorithm, a client uses a software random number to generate an SM2 sub-private key D1, a server requests the hardware random number to generate an anti-quantum key pair, an SM2 sub-private key D2 and a public key P from the standard server cipher machine, encrypts a plaintext private key through an SM4 key stored in a cipher machine hardware safety area and stores the encrypted SM4 key in an external database, and simultaneously, decrypts an old cipher text through an old SM4 main key based on a preset period cipher, then encrypts the old cipher text again through a new SM4 main key, updates a database record, and safely erases the old key to realize key rotation; the anti-quantum cooperative signature module is used for embedding an anti-quantum security element into the SM2 two-party cooperative signature process, the client generates a random number to calculate a signature fragment and a verification code and then sends the signature fragment and the verification code to the server, the server calculates the signature fragment after verification and returns the signature fragment, and the client gathers the signature fragment to obtain a complete signature result; The anti-quantum cooperative encryption module is used for enabling the client to start an anti-quantum cooperative encryption process preferentially when the client needs to send sensitive data to an objective receiver; the specific operation steps of the quantum-resistant cooperative encryption module are as follows: The client generates a temporary session key based on a post quantum key encapsulation public key of the server, a post quantum key encapsulation algorithm, a main session key and an auxiliary key based on a double-hash algorithm and a key derivation function, the client preprocesses original plaintext data to generate a random parameter L, an integrity check value C3 obtained by combining a timestamp and the plaintext, and splices to form a data block to be encrypted, and the client generates a random number The method comprises the steps of combining a base point G to obtain an SM2 elliptic curve point C1 and an encryption request parameter, signing spliced data of the encryption request parameter, a main session key, C3 and a timestamp by using an anti-quantum digital signature private key of a client to generate a client encryption signature verification code, transmitting a post quantum key encapsulation ciphertext, the encryption request parameter, the signature verification code, the timestamp and a random parameter L to a server in a sectionalized manner through a national encryption TLCP1.1 secure channel, verifying the validity of the timestamp by the server, verifying the signature of the client, safely acquiring an SM2 sub-private key D2 and the post quantum key encapsulation private key by the server after verification, de-encapsulating to obtain a session key and deriving the main session key and an auxiliary key by using a cryptographic machine, generating an encryption response parameter by the server, executing SM2 encryption operation to generate a ciphertext including C1, C2 and a verification value, signing to generate a server encryption signature verification code, transmitting an encryption result to the client, generating a symmetric key by using the encryption response parameter and the auxiliary key after the client verifies the timestamp and the signature, and outputting the ciphertext; The anti-quantum cooperative decryption module is used for starting an anti-quantum cooperative decryption process when the target receiver receives the encryption result; The specific operation steps of the quantum-resistant collaborative decryption module are as follows: the client side unpacks the analyzed post quantum key package ciphertext in the ciphertext based on the post quantum key package private key held by the client side, and a session key is restored Calculating a hash value, combining an SM2 subprivate key D1 of the client and an elliptic curve point C1 in a secret to obtain a decryption request parameter, and signing the decryption request parameter, a session key and a random number hash value by using an anti-quantum digital signature private key to generate a client decryption signature verification code; The client encrypts and transmits the decryption request parameters, the signature verification code, the random number and the current timestamp to the server through the national cipher TLCP1.1 secure channel; After the server receives the signature, verifying the validity of the timestamp and the consistency of the hash value of the random number, and verifying the signature validity of the client; after verification, the server side safely acquires an SM2 sub-private key D2 and a post-quantum key package private key from the cryptosystem, the server side unpacks a session key based on the post-quantum private key, generates a decryption response parameter, derives a symmetric key t by combining the session key, decrypts ciphertext data C2 to obtain an intermediate plaintext, calculates a verification value and performs integrity verification; and the equipment integration and dynamic security control module is used for deploying the cryptography assembly in an initialization stage, monitoring the security state in an operation stage, dynamically adjusting the security policy based on threat indexes, and realizing intelligent switching among a conventional mode, an enhanced mode and a highest protection mode.
2. 2. The SM2 collaborative signature and encryption/decryption system with integrated anti-quantum characteristics according to claim 1, wherein the specific operation steps of the anti-quantum algorithm software and hardware enhancement module are as follows: When the server key management service is triggered, the server software requests a standard server cipher machine to generate a random seed with entropy value not less than 256 bits And random number The standard server cipher machine generates random number through internal true random number generator and returns through safe internal channel after randomness test, and the server software uses the following steps Generating an anti-quantum key pair for a unique seed of a deterministic random bit generator, and simultaneously based on Public key component obtained from client Quantum-resistant public key Cryptographic binding is performed by the formula Obtaining a hash value of an anti-quantum public key Wherein SM3 represents a cryptographic hash algorithm; Will be Mapping to the range of order n of SM2 elliptic curve ; By the formula Mod n obtains SM2 sub-private key D2 of the server side, wherein mod n represents a module ; SM2 public key assembly for server software to obtain client By the formula Mod n obtains a complete public key P, and the client verifies the correctness of the public key based on the sub-private key D1; After the server software successfully generates all plaintext private keys in the memory, encrypting each private key based on a standard server cipher machine, and returning the obtained private key ciphertext to the server software, wherein when the key reaches a preset period, the key management service automatically starts a rotation process, and the rotation object comprises an SM4 master key and an associated private key ciphertext.
3. 3. The SM2 collaborative signature and encryption/decryption system with integrated anti-quantum features according to claim 1, wherein the specific operation steps of the anti-quantum collaborative signature module include: Client software encapsulates public key based on post quantum key of server to generate session key Generating a temporary random number Combining the base point G of the SM2 elliptic curve to obtain a temporary public key point; generating a message to be signed based on the user identification hash value, the original message and the session key, and obtaining an SM3 hash value of the message to be signed through a hash value algorithm; The client signs spliced data of a temporary public key point of the client and a hash value of a message to be signed based on an anti-quantum digital signature private key and an SM2 sub-private key D1 held by the client, generates a client signature verification code, and encrypts and transmits a session key, the hash value of the message to be signed, the temporary public key point of the client and the signature verification code to the server through a national secret TLCP1.1 protocol security channel; The server side verifies the client side signature verification code based on the anti-quantum digital signature public key of the client side, the signature flow is stopped when verification fails, the server side reads the corresponding private key ciphertext from an external database after verification, sends the corresponding private key ciphertext to a standard server crypto machine for decryption to obtain a plaintext private key, and temporarily returns the plaintext private key to the server side software.
4. 4. The SM2 collaborative signature and encryption/decryption system with integrated anti-quantum features according to claim 1, wherein the specific operation steps of the anti-quantum collaborative signature module further comprise: Server software requests the cipher machine to generate random number Based on random numbers The method comprises the steps that a SM2 sub-private key D2 obtained through decryption of a cipher machine, a hash value of a message to be signed sent by a client and a temporary public key point of the client are obtained, and a signature fragment comprising a signature random number and a signature component is calculated based on an improved SM2 two-party collaborative signature algorithm; The server side signs the spliced data of the signature fragments based on the quantum-resistant digital signature private key to generate a server side signature verification code; The client verifies the signature verification code of the server based on the quantum-resistant digital signature public key, if the verification fails, the signature process is stopped, and if the verification passes, the verification is based on the SM2 sub-private key D1 and the random number And the signature fragment and the session key are used for obtaining an aggregate signature value and outputting a complete signature result.
5. 5. The SM2 collaborative signature and encryption/decryption system with integrated anti-quantum features according to claim 1, wherein the specific operation steps of the device integration and dynamic security control module include: In the initialization stage, a cryptographic component is deployed and key materials are generated through an anti-quantum algorithm software and hardware enhancement module, in the operation stage, a security situation sensing unit acquires the cryptographic operation frequency, network request characteristics and abnormal behavior mode indexes, and a security control engine passes through a formula Calculating to obtain threat index , wherein, Represent the first The value of the individual threat indicators is set, Represent the first Weights of the threat indicators; A correction factor representing external threat intelligence; When the preset threshold value is smaller than the first preset threshold value, the normal mode is adopted; the enhancement mode is the case when the enhancement mode is between the first preset threshold value and the second preset threshold value; And the highest protection mode is set when the protection value is larger than a second preset threshold value.
6. 6. The SM2 collaborative signature and encryption/decryption system with integrated anti-quantum features according to claim 1, wherein the specific operation steps of the device integration and dynamic security control module further comprise: the threshold value is adjusted through supervised learning, namely, the safety event result after the mode switching is recorded, and the corresponding threshold value is lowered if the safety event caused by the timely switching is not recorded; through the dual-threshold test verification, the dual-threshold strategy is operated in parallel in the non-core service period, and the optimal threshold is selected after comparison; Pre-tuning by trend prediction by the formula Calculating to obtain a threshold adjustment index , wherein, Representing the base threshold value of the value, The current time is indicated as such, The prediction period is represented by a time period, The method comprises the steps of displaying an adjustment amplitude coefficient, dynamically adjusting a first preset threshold value and a second preset threshold value in real time based on a threshold value adjustment index, switching modes based on hysteresis logic, and recording complete strategy switching log and safety event data by equipment.
7. 7. A method applied to the SM2 collaborative signature and encryption and decryption system fusing anti-quantum characteristics as set forth in any one of claims 1 to 6, comprising the steps of: The method comprises the steps of S1, performing software and hardware enhancement of an anti-quantum algorithm, namely on the premise that standard server cipher machine hardware only supporting a cryptographic algorithm is not changed, generating an SM2 sub-private key D1 by a client side through a software random number, generating an anti-quantum key pair and an SM2 sub-private key D2 and a public key P of a server side by requesting a hardware random number from the standard server cipher machine, encrypting a plaintext private key through an SM4 key stored in a cipher machine hardware safety area, storing the encrypted SM4 key in an external database, and simultaneously, performing key rotation based on a preset period; S2, anti-quantum collaborative signature, namely embedding an anti-quantum security element into a SM2 two-party collaborative signature process, generating a session key, a temporary public key and a client signature verification code by a client based on a post-quantum key encapsulation algorithm, acquiring a private key ciphertext from an external database for decryption after verification by a server, calculating a signature fragment and returning the server signature verification code; S3, when the client needs to send sensitive data to the target receiver, the client starts an anti-quantum cooperative encryption process and sends an encryption result to the target receiver; S4, quantum cooperative decryption is resisted, namely when an encryption result is received by an objective receiver, an quantum cooperative decryption process is started, the encryption result is decrypted, and a plaintext is output; and S5, equipment integration and dynamic security control, namely, the method is used for deploying a cryptography component in an initialization stage, monitoring a security state in an operation stage, dynamically adjusting a security policy based on threat indexes, and realizing intelligent switching among a conventional mode, an enhanced mode and a highest protection mode.

Description

SM2 collaborative signature and encryption and decryption system and method integrating quantum resistance characteristics Technical Field The invention relates to the fields of cryptography and information security, in particular to an SM2 collaborative signature and encryption and decryption system and method integrating anti-quantum characteristics. Background Along with the rapid evolution of quantum computing technology, the traditional password system based on elliptic curve discrete logarithm problem faces serious security threat to be cracked by a Shor algorithm, and meanwhile, the deepened implementation of policy standards such as "basic requirements for network security level of information security technology", GM/T0039-2019 server password technical requirements ", and the like, and the requirements of fields such as cloud computing, electronic government affairs, financial science and technology on high security, high compliance and collaborative signature and encryption and decryption capability are greatly increased, the collaborative security technology fusing anti-quantum characteristics and national encryption algorithm has become the core direction of transformation in the fields of cryptography and information security, but the prior art still has a plurality of defects: In the traditional technology, the SM2 cooperative mechanism and the quantum-resistant algorithm have insufficient quantization fusion logic, the control strategy does not integrate the cooperative constraint parameters of the hardware capacity of the standard server cipher machine and the quantum-resistant operation of the software layer, the dynamic adaptation mechanism of the mass storage of the private key of the server is lacked, the compliance association distribution of the Chinese secret TLCP protocol of the client and the communication of the server is not considered in safety verification, and the reliability and the response efficiency of the cooperative signature and encryption and decryption flow for covering wide scene types are low. In order to solve the above-mentioned defect, a technical scheme is provided. Disclosure of Invention The invention aims to solve the problems that the traditional SM2 algorithm is insufficient in safety under the threat of quantum computation and is easy to attack by a man in the middle and tamper with data in the cooperative operation process, and provides an SM2 cooperative signature and encryption and decryption system and method with the fusion of quantum resistance characteristics. The aim of the invention can be achieved by the following technical scheme: an SM2 collaborative signature and encryption and decryption system integrating anti-quantum characteristics, comprising: On the premise of not changing the hardware of a standard server cipher machine only supporting a national cipher algorithm, a client uses a software random number to generate an SM2 sub-private key D1, a server requests the hardware random number to generate an anti-quantum key pair, an SM2 sub-private key D2 and a public key P from the standard server cipher machine, encrypts a plaintext private key through an SM4 key stored in a cipher machine hardware safety area and stores the encrypted SM4 key in an external database, and simultaneously, decrypts an old cipher text through an old SM4 main key based on a preset period cipher, then encrypts the old cipher text again through a new SM4 main key, updates a database record, and safely erases the old key to realize key rotation; the anti-quantum cooperative signature module is used for embedding an anti-quantum security element into the SM2 two-party cooperative signature process, the client generates a random number to calculate a signature fragment and a verification code and then sends the signature fragment and the verification code to the server, the server calculates the signature fragment after verification and returns the signature fragment, and the client gathers the signature fragment to obtain a complete signature result; The anti-quantum cooperative encryption module is used for enabling the client to start an anti-quantum cooperative encryption process preferentially when the client needs to send sensitive data to an objective receiver; The anti-quantum cooperative decryption module is used for starting an anti-quantum cooperative decryption process when the target receiver receives the encryption result; and the equipment integration and dynamic security control module is used for deploying the cryptography assembly in an initialization stage, monitoring the security state in an operation stage, dynamically adjusting the security policy based on threat indexes, and realizing intelligent switching among a conventional mode, an enhanced mode and a highest protection mode. As a further improvement of the invention, the specific operation steps of the anti-quantum algorithm software and hardware enhancement module are as follows: When the s